[OpenAFS] More questions about the re-keying document
Thu, 25 Jul 2013 19:35:34 -0400 (EDT)
On Thu, 25 Jul 2013, Benjamin Kaduk wrote:
> There's another MIT-specific reason to not include a DES key in the
> rxkad.keytab, namely that the MIT KDC does not set requires_preauth on new
> principals by default. This means that if there's a DES key in the KDB, an
> unauthenticated attacker can make an AS_REQ with the afs principal as the
> "client principal", and claim to only support des-cbc-crc. Since
> preauthentication is not required, the KDC will create an AS_REP and use the
> DES key from the KDB to encrypt the reply. Now the attacker has a
> plaintext/ciphertext pair with which to mount an offline brute force attack.
I should note that just setting the requires_preauth flag on the afs
service principal to prevent this attack is not a good idea.
Unfortunately, the same flag is used to indicate different things when a
principal is acting as a client and when it is acting as a server. Here,
we want the client behavior, requiring preauthentication before initial
credentials are granted. The service behavior is that the flag causes the
KDC to require clients to present credentials which were obtained using
preauthentication, before the KDC will issue a service ticket for this
service principal. If the afs service principal does not have the flag
set, it is likely that user principals do not as well, so in effect users
will be locked out of accessing AFS.